Note that it is a bug if you can write your own better black_box #140341
Conversation
|
r? @ibraheemdev rustbot has assigned @ibraheemdev. Use |
rustbot
added
S-waiting-on-review
| /// You should not be able to write a better `black_box` than the standard library provides. If you | ||
| /// can write a function that looks like `black_box` but is more effective at hiding the value of | ||
| /// the argument from optimizations, that would be a bug and should be reported. It just would not | ||
| /// be a *security* bug. |
There was a problem hiding this comment.
I'm not sure if that's quite true. For example user code might choose to use FFI and setup linking to evade LTO, I don't think std/rustc is going to jump through those kinds of hoops since it can't control linking of generic instantiations.
There was a problem hiding this comment.
Perhaps "you should not be able to use other parts of the standard library to write a better..." then?
There was a problem hiding this comment.
I'm not sure what you mean by evading LTO. If LTO can see through black_box it's already quite non-functional for benchmarking.
There was a problem hiding this comment.
A weak blackbox implementation might prevent DCE of the input but not optimizations based on properties of the output value.
You can also replace LTO with other post-link optimizations such as wasm JIT and user code taking steps avoid that.
There was a problem hiding this comment.
A JIT can break any black box so I'm not sure what point you are trying to make.
There was a problem hiding this comment.
A JIT will have blind spots or even explicit escape hatches and you can make a targeted blackbox using those.
The point I'm making is that users may be "able to write a better black_box" under specific circumstances and the standard library won't adopt those.
There was a problem hiding this comment.
A weak blackbox implementation might prevent DCE of the input but not optimizations based on properties of the output value.
that's an example where you could do better, and it would indeed be a buggy implementation that should be reported, as the docs say.
There was a problem hiding this comment.
No, I meant that as an example for a hypothetical backend or target where that's the best we can do.
E.g. by making a value "escape" to a static we could prevent DCE but the backend lacks a way to make the value opaque because it's a single-threaded closed-world environment that has no concept of MMIO or interactions with the environment outside the abstract machine other than special IO instructions, so even volatile would get lowered to plain stores and loads.
|
I think that talking about bugs confuses the message we are trying to send. What we really want to say is that there is no mechanism in the entire Rust language that can get you the guarantees you want for constant-time cryptography: you can't do better than |
|
I think the subtlety here is that from a spec perspective all approaches are equal; they're not guaranteed, even asking the question is nonsense because the constant-time aspect is not considered an observable property etc. etc.. And some other approaches such as FFI, assymbly or linker trickery just might achieve better results, under specific circumstances. So we can't really promise that this is the strongest possible implementation under all conditions. Maybe something like
|
I strongly disagree with this. If I'm writing a crypto library that is using I can't speak for everyone using rust for cryptography, but I think language that helps advocate for the above use case is really important. |
I've mentioned this to a few people offhandedly, thinking I'd gotten it added to the standard library docs. Whoops.